Thursday, October 08, 2009

IT applications are akin to the organization's blood vessels because they carry critical information and execute key processes. However, due to a peripheral approach to security, application security is often neglected.

Applications require strong embedded security to prevent breaches. Hence enterprises should start to address security at the software development lifecycle's (SDLC) early stages. There are several ways to go about this.

Education: Because business users or customers are often unaware about security risks, developers and the application architect should be familiar with possible security threats and application attacks. These personnel should inculcate the application security culture throughout the lifecycle.

If you estimate risk correctly from the beginning, it will also help you to save on costs. According to an industry statistic, if the cost of fixing a bug at design phase is X, post the release it would cost 60X. The cost of fixing bugs increases during each stage of application development. Developers can be trained on dummy applications to help them learn how attackers operate.

Build a threat model: A threat model for your application is essential to identify the involved risks, possible attack scenarios, controls and risk mitigation costs. To start, you should understand the application's utilization. You can categorize an application based on usage (internet or intranet), data sensitivity (sensitive or non-sensitive) and the technology used (web based or non-web based application). These parameters help you categorize the application security level as high, medium or low. Based on this classification, security controls are integrated during the application design process.

About Me

He is involved in Application Security Consulting and establishing App Security across SDLC. He also conducts security workshops for the developer community. Besides interest in App Security, he likes Performance Testing and tuning of web applications.